Update source protocol on rockspec

Support passing DANE flags

CHANGELOG

@@ -1,3 +1,22 @@
+--------------------------------------------------------------------------------
+LuaSec 1.1.0
+---------------
+This version includes:
+
+* Fix missing DANE flag
+* Remove unused parameter in https.lua
+
+--------------------------------------------------------------------------------
+LuaSec 1.0.2
+---------------
+This version includes:
+
+* Fix handle SSL_send SYSCALL error without errno
+* Fix off by one in cert:validat(notafter)
+* Fix meth_get_{sinagure => signature}_name function name
+* Fix update the Lua state reference on the selected SSL context after SNI
+* Fix ignore SSL_OP_BIT(n) macro and update option.c
+
 --------------------------------------------------------------------------------
 LuaSec 1.0.1
 ---------------

INSTALL

@@ -1,9 +1,9 @@
-LuaSec 1.0.1
+LuaSec 1.1.0
 ------------
 
 * OpenSSL options:
 
-    By default, this version includes options for OpenSSL 1.1.1.
+    By default, this version includes options for OpenSSL 3.0.0 beta2
 
     If you need to generate the options for a different version of OpenSSL:
 

LICENSE

@@ -1,5 +1,5 @@
-LuaSec 1.0.1 license
-Copyright (C) 2006-2021 Bruno Silvestre, UFG
+LuaSec 1.1.0 license
+Copyright (C) 2006-2022 Bruno Silvestre, UFG
 
 Permission is hereby granted, free  of charge, to any person obtaining
 a  copy  of this  software  and  associated  documentation files  (the

README.md

@@ -1,4 +1,4 @@
-LuaSec 1.0.1
+LuaSec 1.1.0
 ===============
 LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
 easy to add secure connections to any Lua applications or scripts.

luasec-1.1.0-1.rockspec

@@ -1,8 +1,8 @@
 package = "LuaSec"
-version = "1.0.1-1"
+version = "1.1.0-1"
 source = {
-  url = "git://github.com/brunoos/luasec",
-  tag = "v1.0.1",
+  url = "git+https://github.com/brunoos/luasec",
+  tag = "v1.1.0",
 }
 description = {
    summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",

samples/ocsp/client.lua

@@ -1,54 +0,0 @@
---
--- Public domain
---
-local socket = require("socket")
-local ssl    = require("ssl")
-
-local ocsp   = ssl.ocsp
-
--- Parameters
---   * status:
---     * nil                          (no status was sent by server)
---     * ocsp.status.successful
---     * ocsp.status.malformedrequest
---     * ocsp.status.internalerror
---     * ocsp.status.trylater
---     * ocsp.status.sigrequired
---     * ocsp.status.unauthorized
---
--- Returns
---   * nil: on error
---   * true: status was accepted (continue the handshake)
---   * false: status not accepted (handshake stops with error)
---
-local callback = function(status)
-  print("Status: ", status)
-  print("---")
-
-  if status == nil then
-    print("[WARN] No OCSP response")
-    return true
-  end
-
-  return (status == ocsp.status.successful)
-end
-
-local params = {
-   mode     = "client",
-   protocol = "tlsv1_2",
-   verify   = "none",
-   options  = "all",
-   ocsp     = callback,
-}
-
-while true do
-  local peer = socket.tcp()
-  peer:connect("127.0.0.1", 8443)
-  
-  peer = assert(ssl.wrap(peer, params))
-  assert(peer:dohandshake())
-  
-  print(peer:receive())
-  print("------------")
-  peer:close()
-end

samples/ocsp/server.lua

@@ -1,89 +0,0 @@
---
--- Public domain
---
-local socket = require("socket")
-local ssl    = require("ssl")
-
-local mime   = require("mime")
-local ltn12  = require("ltn12")
-local http   = require("socket.http")
-
-local ocsp   = ssl.ocsp
-
---------------------------------------------------------------------------------
-
-local response
-
-function loadresponse(certfile, cafile)
-  local f = io.open(cafile)
-  local ca = f:read("*a")
-  ca = ssl.loadcertificate(ca)
-  f:close()
- 
-  f = io.open(certfile)
-  local cert = f:read("*a")
-  cert = ssl.loadcertificate(cert)
-  f:close()
- 
-  local res = {}
-  local req = ocsp.buildrequest(cert, ca)
-  req = mime.b64(req)
- 
-  local a, b = http.request {
-    url = "http://zerossl.ocsp.sectigo.com/" .. req,
-    method = "GET",
-    sink = ltn12.sink.table(res),
-    header = {
-      ["Content-Type"] = "application/ocsp-request",
-      ["Host"] = "zerossl.ocsp.sectigo.com",
-    },
-  }
- 
-  response = table.concat(res)
-
-  local thisupd, nextupd = ocsp.responsetime(response)
-  print("This update: ", thisupd)
-  print("Next update: ", nextupd)
-end
-
---------------------------------------------------------------------------------
-
-local cafile = "ca.pem"
-local certfile = "server.pem"
-
--- Remember to update 'response' before 'next update'
-local callback = function()
-  if not response then
-    loadresponse(certfile, cafile)
-  end
-  return response
-end
-
-local params = {
-   mode = "server",
-   protocol = "any",
-   key = "server.key",
-   certificate = certfile,
-   verify = "none",
-   options = "all",
-   ocsp = callback,
-}
-
---------------------------------------------------------------------------------
-
-local ctx = assert(ssl.newcontext(params))
-
-local server = socket.tcp()
-server:setoption('reuseaddr', true)
-assert(server:bind("127.0.0.1", 8443))
-server:listen()
-
-while true do
-  local peer = server:accept()
-  peer = assert(ssl.wrap(peer, ctx))
-  local succ = peer:dohandshake()
-  if succ then
-    peer:send("OCSP test\n")
-    peer:close()
-  end
-end

src/compat.h

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2022 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/config.c

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2006-2021 Bruno Silvestre.
+ * Copyright (C) 2006-2022 Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -77,14 +77,14 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
 #ifdef LSEC_ENABLE_DANE
   // DANE
   lua_pushstring(L, "dane");
+#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
+  lua_createtable(L, 0, 1);
+  lua_pushstring(L, "no_ee_namechecks");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
-#endif
-
-#ifndef OPENSSL_NO_OCSP
-  // OCSP
-  lua_pushstring(L, "ocsp");
+#else
   lua_pushboolean(L, 1);
+#endif
   lua_rawset(L, -3);
 #endif
 

src/context.c

@@ -1,9 +1,9 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann, 
+ * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann, 
  *                         Matthew Wild.
- * Copyright (C) 2006-2021 Bruno Silvestre.
+ * Copyright (C) 2006-2022 Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -17,19 +17,15 @@
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include <openssl/x509_vfy.h>
 #include <openssl/dh.h>
 
-#ifndef OPENSSL_NO_OCSP
-#include <openssl/ocsp.h>
-#endif
-
 #include <lua.h>
 #include <lauxlib.h>
 
 #include "compat.h"
 #include "context.h"
 #include "options.h"
-#include "x509.h"
 
 #ifndef OPENSSL_NO_EC
 #include <openssl/ec.h>
@@ -712,207 +708,35 @@ static int set_alpn_cb(lua_State *L)
   return 1;
 }
 
-#ifndef OPENSSL_NO_OCSP
-static int ocsp_server_cb(SSL *ssl, void *arg)
-{
-  int len;
-  BIO *bio;
-  const char *data;
-  unsigned char *r = NULL;
-  OCSP_RESPONSE *resp = NULL;
-  p_context ctx = (p_context)arg;
-  lua_State *L = ctx->L;
-
-  // Retrieve the callback
-  luaL_getmetatable(L, "SSL:OCSP:Registry");
-  lua_pushlightuserdata(L, ctx->context);
-  lua_rawget(L, -2);
-
-  lua_call(L, 0, 1);
-  if (lua_type(L, -1) != LUA_TSTRING) {
-    return SSL_TLSEXT_ERR_NOACK;
-  }
-
-  data = lua_tostring(L, -1);
-  len  = (int)lua_rawlen(L, -1);
-
-  bio = BIO_new_mem_buf(data, len);
-  if (bio == NULL)
-    return SSL_TLSEXT_ERR_NOACK;
-
-  resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
-  BIO_free(bio);
-  if (resp == NULL)
-    return SSL_TLSEXT_ERR_NOACK;
-
-  len = i2d_OCSP_RESPONSE(resp, &r);
-  if (len <= 0) {
-    OCSP_RESPONSE_free(resp);
-    return SSL_TLSEXT_ERR_NOACK;
-  }
-
-  SSL_set_tlsext_status_ocsp_resp(ssl, r, len);
-  OCSP_RESPONSE_free(resp);
-  return SSL_TLSEXT_ERR_OK;
-}
-
-static int ocsp_client_cb(SSL *ssl, void *arg)
-{
-  long len;
-  const unsigned char *b;
-  OCSP_RESPONSE *ocsp = NULL;
-  p_context ctx = (p_context)arg;
-  lua_State *L = ctx->L;
-
-  // Retrieve the callback
-  luaL_getmetatable(L, "SSL:OCSP:Registry");
-  lua_pushlightuserdata(L, ctx->context);
-  lua_rawget(L, -2);
-
-  len = SSL_get_tlsext_status_ocsp_resp(ssl, &b);
-  if (len == -1)
-    lua_pushnil(L);
-  else {
-    ocsp = d2i_OCSP_RESPONSE(NULL, &b, len);
-    lua_pushinteger(L, OCSP_response_status(ocsp));
-    OCSP_RESPONSE_free(ocsp);
-  }
-
-  lua_call(L, 1, 1);
-  return (lua_type(L, -1) != LUA_TBOOLEAN) ? -1 : (int)lua_toboolean(L, -1);
-}
-
-static int set_ocsp_cb(lua_State *L)
-{
-  int ret;
-  p_context ctx = checkctx(L, 1);
-
-  luaL_getmetatable(L, "SSL:OCSP:Registry");
-  lua_pushlightuserdata(L, (void*)ctx->context);
-  lua_pushvalue(L, 2);
-  lua_settable(L, -3);
-
-  ret = (int)SSL_CTX_set_tlsext_status_type(ctx->context, TLSEXT_STATUSTYPE_ocsp);
-  if (ret == 0) {
-    lua_pushboolean(L, 0);
-    return 1;
-  }
-
-  if (ctx->mode == LSEC_MODE_CLIENT)
-    ret = (int)SSL_CTX_set_tlsext_status_cb(ctx->context, ocsp_client_cb);
-  else
-    ret = (int)SSL_CTX_set_tlsext_status_cb(ctx->context, ocsp_server_cb);
-
-  if (ret == 0) {
-    lua_pushboolean(L, 0);
-    return 1;
-  }
-
-  ret = (int)SSL_CTX_set_tlsext_status_arg(ctx->context, ctx);
-  lua_pushboolean(L, ret == 1);
-  return 1;
-}
-
-static int ocsp_build_request(lua_State *L)
-{
-  long len;
-  BIO *bio;
-  X509 *cert;
-  X509 *issuer;
-  OCSP_CERTID *cid;
-  OCSP_REQUEST *req;
-  char *buf;
-
-  cert = lsec_checkx509(L, 1);
-  issuer = lsec_checkx509(L, 2);
-
-  req = OCSP_REQUEST_new();
-  if (req == NULL) {
-    lua_pushnil(L);
-    return 1;
-  }
-
-  cid = OCSP_cert_to_id(NULL, cert, issuer);
-  if (cid == NULL) {
-    lua_pushnil(L);
-    return 1;
-  }
-
-  if (OCSP_request_add0_id(req, cid) == NULL) {
-    lua_pushnil(L);
-    return 1;
-  }
-
-  bio = BIO_new(BIO_s_mem());
-  i2d_OCSP_REQUEST_bio(bio, req);
-  len = BIO_get_mem_data(bio, &buf);
-  lua_pushlstring(L, buf, len);
-
-  BIO_free(bio);
-  OCSP_REQUEST_free(req);
-
-  return 1;
-}
-
-static int ocsp_response_time(lua_State *L)
-{
-  long len;
-  BIO *bio;
-  char *buf;
-  int reason;
-  OCSP_BASICRESP *bs;
-  OCSP_SINGLERESP *sr;
-  OCSP_RESPONSE *res;
-  ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
-
-  buf = (char*)lua_tostring(L, 1);
-  len = (long)lua_rawlen(L, 1);
-
-  res = d2i_OCSP_RESPONSE(NULL, (const unsigned char**)&buf, (int)len);
-  if (res == NULL) {
-    lua_pushnil(L);
-    lua_pushnil(L);
-    return 2;
-  }
-
-  bs = OCSP_response_get1_basic(res);
-  if (bs == NULL) {
-    lua_pushnil(L);
-    lua_pushnil(L);
-    return 2;
-  }
-
-  sr = OCSP_resp_get0(bs, 0);
-  OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
-
-  bio = BIO_new(BIO_s_mem());
-  ASN1_GENERALIZEDTIME_print(bio, thisupd);
-  len = BIO_get_mem_data(bio, &buf);
-  lua_pushlstring(L, buf, len);
-  BIO_free(bio);
-
-  bio = BIO_new(BIO_s_mem());
-  ASN1_GENERALIZEDTIME_print(bio, nextupd);
-  len = BIO_get_mem_data(bio, &buf);
-  lua_pushlstring(L, buf, len);
-  BIO_free(bio);
-
-  OCSP_BASICRESP_free(bs);
-  OCSP_RESPONSE_free(res);
-
-  return 2;
-}
-#endif
-
 #if defined(LSEC_ENABLE_DANE)
 /*
  * DANE
  */
+static int dane_options[] = {
+  /* TODO move into options.c
+   * however this symbol is not from openssl/ssl.h but rather from
+   * openssl/x509_vfy.h
+   * */
+#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
+  DANE_FLAG_NO_DANE_EE_NAMECHECKS,
+#endif
+  0
+};
+static const char *dane_option_names[] = {
+#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
+  "no_ee_namechecks",
+#endif
+  NULL
+};
+
 static int set_dane(lua_State *L)
 {
-  int ret;
+  int ret, i;
   SSL_CTX *ctx = lsec_checkcontext(L, 1);
   ret = SSL_CTX_dane_enable(ctx);
+  for (i = 2; ret > 0 && i <= lua_gettop(L); i++) {
+    ret = SSL_CTX_dane_set_flags(ctx, dane_options[luaL_checkoption(L, i, NULL, dane_option_names)]);
+  }
   lua_pushboolean(L, (ret > 0));
   return 1;
 }
@@ -942,9 +766,6 @@ static luaL_Reg funcs[] = {
 #endif
 #if defined(LSEC_ENABLE_DANE)
   {"setdane",         set_dane},
-#endif
-#if !defined(OPENSSL_NO_OCSP)
-  {"setocspcb",       set_ocsp_cb},
 #endif
   {NULL, NULL}
 };
@@ -971,10 +792,6 @@ static int meth_destroy(lua_State *L)
     lua_pushlightuserdata(L, (void*)ctx->context);
     lua_pushnil(L);
     lua_settable(L, -3);
-    luaL_getmetatable(L, "SSL:OCSP:Registry");
-    lua_pushlightuserdata(L, (void*)ctx->context);
-    lua_pushnil(L);
-    lua_settable(L, -3);
 
     SSL_CTX_free(ctx->context);
     ctx->context = NULL;
@@ -1112,55 +929,6 @@ void *lsec_testudata (lua_State *L, int ud, const char *tname) {
 
 /*------------------------------ Initialization ------------------------------*/
 
-#ifndef OPENSSL_NO_OCSP
-struct ocsp_status_response_s {
-  const char *name;
-  int value;
-};
-
-typedef struct ocsp_status_response_s ocsp_status_response_t;
-
-static ocsp_status_response_t status_response[] = {
-  {"successful",       OCSP_RESPONSE_STATUS_SUCCESSFUL},
-  {"malformedrequest", OCSP_RESPONSE_STATUS_MALFORMEDREQUEST},
-  {"internalerror",    OCSP_RESPONSE_STATUS_INTERNALERROR},
-  {"trylater",         OCSP_RESPONSE_STATUS_TRYLATER},
-  {"sigrequired",      OCSP_RESPONSE_STATUS_SIGREQUIRED},
-  {"unauthorized",     OCSP_RESPONSE_STATUS_UNAUTHORIZED},
-  {NULL, 0}
-};
-
-static luaL_Reg ocsp_funcs[] = {
-  {"buildrequest", ocsp_build_request},
-  {"responsetime", ocsp_response_time},
-  {NULL, NULL}
-};
-
-
-/**
- * OCSP module
- */
-LSEC_API int luaopen_ssl_context_ocsp(lua_State *L)
-{
-  ocsp_status_response_t *ptr;
-
-  luaL_newlib(L, ocsp_funcs);
-
-  lua_pushstring(L, "status");
-  lua_newtable(L);
-  for (ptr = status_response; ptr->name; ptr++) {
-    lua_pushstring(L, ptr->name);
-    lua_pushinteger(L, ptr->value);
-    lua_rawset(L, -3);
-  }
-  lua_rawset(L, -3);
-
-  return 1;
-}
-#endif
-
-//------------------------------------------------------------------------------
-
 /**
  * Registre the module.
  */
@@ -1169,7 +937,6 @@ LSEC_API int luaopen_ssl_context(lua_State *L)
   luaL_newmetatable(L, "SSL:DH:Registry");      /* Keep all DH callbacks   */
   luaL_newmetatable(L, "SSL:ALPN:Registry");    /* Keep all ALPN callbacks */
   luaL_newmetatable(L, "SSL:Verify:Registry");  /* Keep all verify flags   */
-  luaL_newmetatable(L, "SSL:OCSP:Registry");    /* Keep all OCSP callbacks */
   luaL_newmetatable(L, "SSL:Context");
   setfuncs(L, meta);
 

src/context.h

@@ -2,9 +2,9 @@
 #define LSEC_CONTEXT_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2022 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/ec.h

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2022 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/https.lua

@@ -1,6 +1,6 @@
 ----------------------------------------------------------------------------
--- LuaSec 1.0.1
--- Copyright (C) 2009-2021 PUC-Rio
+-- LuaSec 1.1.0
+-- Copyright (C) 2009-2022 PUC-Rio
 --
 -- Author: Pablo Musa
 -- Author: Tomas Guisasola
@@ -18,8 +18,8 @@ local try    = socket.try
 -- Module
 --
 local _M = {
-  _VERSION   = "1.0.1",
-  _COPYRIGHT = "LuaSec 1.0.1 - Copyright (C) 2009-2021 PUC-Rio",
+  _VERSION   = "1.1.0",
+  _COPYRIGHT = "LuaSec 1.1.0 - Copyright (C) 2009-2022 PUC-Rio",
   PORT       = 443,
   TIMEOUT    = 60
 }
@@ -93,7 +93,7 @@ local function tcp(params)
          self.sock:sni(host)
          self.sock:settimeout(_M.TIMEOUT)
          try(self.sock:dohandshake())
-         reg(self, getmetatable(self.sock))
+         reg(self)
          return 1
       end
       return conn

src/options.c

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2022 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -13,13 +13,16 @@
 
 
 /* 
-  OpenSSL version: OpenSSL 1.1.1
+  OpenSSL version: OpenSSL 3.0.0-beta2
 */
 
 static lsec_ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_ALL)
   {"all", SSL_OP_ALL},
 #endif
+#if defined(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)
+  {"allow_client_renegotiation", SSL_OP_ALLOW_CLIENT_RENEGOTIATION},
+#endif
 #if defined(SSL_OP_ALLOW_NO_DHE_KEX)
   {"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX},
 #endif
@@ -32,21 +35,33 @@ static lsec_ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_CISCO_ANYCONNECT)
   {"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
 #endif
+#if defined(SSL_OP_CLEANSE_PLAINTEXT)
+  {"cleanse_plaintext", SSL_OP_CLEANSE_PLAINTEXT},
+#endif
 #if defined(SSL_OP_COOKIE_EXCHANGE)
   {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
 #endif
 #if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
   {"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
 #endif
+#if defined(SSL_OP_DISABLE_TLSEXT_CA_NAMES)
+  {"disable_tlsext_ca_names", SSL_OP_DISABLE_TLSEXT_CA_NAMES},
+#endif
 #if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
   {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
 #endif
+#if defined(SSL_OP_ENABLE_KTLS)
+  {"enable_ktls", SSL_OP_ENABLE_KTLS},
+#endif
 #if defined(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
   {"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT},
 #endif
 #if defined(SSL_OP_EPHEMERAL_RSA)
   {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
 #endif
+#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
+  {"ignore_unexpected_eof", SSL_OP_IGNORE_UNEXPECTED_EOF},
+#endif
 #if defined(SSL_OP_LEGACY_SERVER_CONNECT)
   {"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
 #endif
@@ -89,6 +104,9 @@ static lsec_ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
   {"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
 #endif
+#if defined(SSL_OP_NO_EXTENDED_MASTER_SECRET)
+  {"no_extended_master_secret", SSL_OP_NO_EXTENDED_MASTER_SECRET},
+#endif
 #if defined(SSL_OP_NO_QUERY_MTU)
   {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
 #endif

src/options.h

@@ -2,9 +2,9 @@
 #define LSEC_OPTIONS_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2022 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/options.lua

@@ -4,7 +4,7 @@ local function usage()
   print("  lua options.lua -g /path/to/ssl.h [version] > options.c")
   print("* Examples:")
   print("  lua options.lua -g /usr/include/openssl/ssl.h > options.c\n")
-  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.0.1 14\" > options.c\n")
+  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.1.1f\" > options.c\n")
 
   print("* List options of your system:")
   print("  lua options.lua -l /path/to/ssl.h\n")
@@ -18,9 +18,9 @@ end
 local function generate(options, version)
   print([[
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2022 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -60,9 +60,12 @@ local function loadoptions(file)
   local options = {}
   local f = assert(io.open(file, "r"))
   for line in f:lines() do
-    local op = string.match(line, "define%s+(SSL_OP_%S+)")
-    if op then
-      table.insert(options, op)
+    local op = string.match(line, "define%s+(SSL_OP_BIT%()")
+    if not op then
+      op = string.match(line, "define%s+(SSL_OP_%S+)")
+      if op then
+        table.insert(options, op)
+      end
     end
   end
   table.sort(options, function(a,b) return a<b end)

src/ssl.c

@@ -1,9 +1,9 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann, 
+ * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann, 
  *                         Matthew Wild.
- * Copyright (C) 2006-2021 Bruno Silvestre.
+ * Copyright (C) 2006-2022 Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -747,6 +747,8 @@ static int sni_cb(SSL *ssl, int *ad, void *arg)
   lua_pop(L, 4);
   /* Found, use this context */
   if (newctx) {
+    p_context pctx = (p_context)SSL_CTX_get_app_data(newctx);
+    pctx->L = L;
     SSL_set_SSL_CTX(ssl, newctx);
     return SSL_TLSEXT_ERR_OK;
   }
@@ -824,7 +826,7 @@ static int meth_getalpn(lua_State *L)
 
 static int meth_copyright(lua_State *L)
 {
-  lua_pushstring(L, "LuaSec 1.0.1 - Copyright (C) 2006-2021 Bruno Silvestre, UFG"
+  lua_pushstring(L, "LuaSec 1.1.0 - Copyright (C) 2006-2022 Bruno Silvestre, UFG"
 #if defined(WITH_LUASOCKET)
                     "\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
 #endif

src/ssl.h

@@ -2,9 +2,9 @@
 #define LSEC_SSL_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2022 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/ssl.lua

@@ -1,7 +1,7 @@
 ------------------------------------------------------------------------------
--- LuaSec 1.0.1
+-- LuaSec 1.1.0
 --
--- Copyright (C) 2006-2021 Bruno Silvestre
+-- Copyright (C) 2006-2022 Bruno Silvestre
 --
 ------------------------------------------------------------------------------
 
@@ -10,11 +10,6 @@ local context = require("ssl.context")
 local x509    = require("ssl.x509")
 local config  = require("ssl.config")
 
-local ocsp
-if config.capabilities.ocsp then
-  ocsp = require("ssl.context.ocsp")
-end
-
 local unpack  = table.unpack or unpack
 
 -- We must prevent the contexts to be collected before the connections,
@@ -207,15 +202,11 @@ local function newcontext(cfg)
    end
 
    if config.capabilities.dane and cfg.dane then
-      context.setdane(ctx)
-   end
-
-   if config.capabilities.ocsp and cfg.ocsp then
-      msg  = "error setting OCSP"
-      succ = type(cfg.ocsp) == "function"
-      if not succ then return nil, msg end
-      succ = context.setocspcb(ctx, cfg.ocsp)
-      if not succ then return nil, msg end
+      if type(cfg.dane) == "table" then
+         context.setdane(ctx, unpack(cfg.dane))
+      else
+         context.setdane(ctx)
+      end
    end
 
    return ctx
@@ -284,10 +275,9 @@ core.setmethod("info", info)
 --
 
 local _M = {
-  _VERSION        = "1.0.1",
+  _VERSION        = "1.1.0",
   _COPYRIGHT      = core.copyright(),
   config          = config,
-  ocsp            = ocsp,
   loadcertificate = x509.load,
   newcontext      = newcontext,
   wrap            = wrap,

src/x509.c

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann
+ * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
  *                         Matthew Wild, Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
@@ -658,7 +658,7 @@ static int meth_set_encode(lua_State* L)
 /**
  * Get signature name.
  */
-static int meth_get_sinagure_name(lua_State* L)
+static int meth_get_signature_name(lua_State* L)
 {
   p_x509 px = lsec_checkp_x509(L, 1);
   int nid = X509_get_signature_nid(px->cert);
@@ -698,7 +698,7 @@ static luaL_Reg methods[] = {
   {"digest",     meth_digest},
   {"setencode",  meth_set_encode},
   {"extensions", meth_extensions},
-  {"getsignaturename", meth_get_sinagure_name},
+  {"getsignaturename", meth_get_signature_name},
   {"issuer",     meth_issuer},
   {"notbefore",  meth_notbefore},
   {"notafter",   meth_notafter},

src/x509.h

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0.1
+ * LuaSec 1.1.0
  *
- * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann
+ * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
  *                         Matthew Wild, Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/